Some websites provided by enterprises (e.g., retailers, insurance providers, financial institutions, educational institutions, etc.) include one or more restricted portions that require a user to provide login credentials and be authorized before the user is able to gain or obtain access thereto. Examples of restricted portions of websites include payment pages, account information and history, records, and the like. Typically, a user is prompted to provide a login or user name and credentials such as a password, passphrase, biometric information, etc. in order to be authenticated and granted access to restricted portions or, for some websites, to the entirety of the website itself.
Multiple, explicit user log-in requests from a website can be cumbersome and detract from the user's experience. To address this issue, some websites cause a cookie or other data storage entity to be stored at a user's personal electronic device (PED), e.g., in conjunction with a web browser at the user's PED. The cookie typically stores the user's login/username, credentials, and/or other identifying information which are automatically provided to the website so that the user does not need to repeat explicitly providing his or her login and credentials, thereby perpetually maintaining the logged-in state of the user at the website until, for example, the user takes steps to explicitly delete the cookie.
This approach, while convenient for the user, exposes significant security risks. For example, as long as the cookie exists on the user's PED, anyone who utilizes the user's PED has automatic access to the website and to the user's account via the browser under the user's credentials stored in the cookie, and therefore is able to make unauthorized purchases or financial transactions, view the user's personal records, manipulate personal data of the user, and the like.